Fake "hack-back" offers are putting ransomware victims at further risk

Code Skull
(Image credit: Shutterstock)

Ransomware victims are being targeted by scammers looking to trick them out of even more of their hard-earned money, new research has claimed.

A report from Arctic Wolf, which observed at least two such incidents where a person claiming to be an ethical hacker reached out to ransomware victims and offered to break into the ransomware operators’ infrastructure and permanently delete the stolen databases. 

In one such instance, the hacker asked for roughly $190,000 in cryptocurrency (up to five bitcoin). Even though the victims were approached by people with different aliases, the researchers believe it’s actually the same individual in both attempts.

Too many coincidences

In one case, the company fell prey to Royal ransomware, while in the other, Akira. In the first instance, the fraudster presented themselves as “Ethical Side Group”, and offered to return the data from the “TommyLeaks” gang, instead of the actual hackers - Royal. What’s more, the fraudster didn’t seem to know that the negotiations between the victim and Royal were concluded back in 2022. 

In the second incident, a fraudster with an alias “xanonymoux” reached out to a victim firm, offering to delete the data from Akira’s servers when, in reality, Akira never stole the data - just encrypted it on the victim’s endpoints. 

Finally, Arctic Wolf saw that during the initial communication, in both instances, ten common phrases were used. Both scammers used the same method to prove they had access to the stolen data. All of this led them to believe that this was, in fact, the same individual.

Usually, when a ransomware operator targets a network, they not only encrypt the data, but also steal it and threaten to release it to the dark web, unless a payment is made. In fact, the data theft part is arguably more disruptive than the encryption part, as businesses have become better at restoring their systems from backups. A data leak, however, can cause irreparable damage.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.